We can see that we have a valid kerberos ticket for the elatov.net domain. As long as my IWA Server's hostname is within that domain (ie. iwa.elatov.net) then we can proceed configuring the browser to trust the elatov.net domain. If look under the Internet Explorer Settings (Tools -> Internet Options -> Security -> Local Intranet -> Custom Level), you will notice that automatic login is allowed for sites that are in the Intranet Zone by default:

Now all that we have to do is add our domain into the Local Intranet Zone in Internet Explorer and we will be all set. This is accomplished by going to Tools -> Internet Options -> Security -> Local intranet -> Sites -> Advanced and add the following for the site: https://*.elatov.net/:

Mozilla/Firefox

Mozilla currently supports a whitelist of sites that are permitted to engage in SPNEGO authentication with the browser. This list is intended to be configured by an IT department prior to distributing Mozilla to end-users.

network.negotiate-auth.trusted-uris lists the sites that are permitted to engage in SPNEGO authentication with the browser, andnetwork.negotiate-auth.delegation-uris lists the sites for which the browser may delegate user authorization to the server.network.automatic-ntlm-auth.trusted-uris lists the trusted sites to use NTLM authentification.

To modify these settings we start firefox in the address we can enter about:config and modify just the top two options to include our domain (elatov.net):

Chrome/Chromium

In Windows only, if the AuthServerWhitelist setting is not specified, the permitted list consists of those servers in the Local Machine or Local Intranet security zone (for example, when the host in the URL includes a "." character it is outside the Local Intranet security zone), which is the behavior present in IE. Treating servers that bypass proxies as being in the intranet zone is not currently supported.

So if we configure the Local Intranet Security Zone appropriately in Internet Explorer then Chrome will use those settings as well.

Mac OS X

As long as the Mac OS X system is joined to the domain (I will talk more about that below) and has a valid kerberos ticket then you can launch chrome with the following command:

Safari and Mac OS X

Apple and Microsoft both support Kerberos to provide a secure single sign-on environment. When integrated into an Active Directory environment, OS X uses Kerberos exclusively for all authentication activities. The use of Microsoft’s NT LAN Manager (NTLM) suite of protocols, including both NTLMv1 and NTLMv2, can be prohibited on the network as needed, without effecting Mac computers or services provided by OS X Server within the Active Directory environment.

When a user logs in to a Mac using an Active Directory account, the Active Directory domain controller automatically issues a Kerberos Ticket Granting Ticket (TGT). When the user attempts to use any service on the domain that supports Kerberos authentication, the TGT generates a ticket for that service without requiring the user to authenticate again.

You can use the Kerberos administration tools on a Mac to view currently issued tickets both from the command line, where klist displays the current

tickets, or by using the graphical Ticket Viewer utility located at /System/Library/CoreServices/Ticket Viewer.app.

As long as klist shows something similar to this, Safari will work by default: